Ingress

Yaml

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: test
spec:
  rules:
  - host: xxx.ctg.com  # optional
    http:
      paths:
      - path: /foo
        backend:
          serviceName: service1
          servicePort: xx

HTTPS

假设我们想通过https://tomcat.ctg.com来访问tomcat服务,步骤如下。

首先,制作证书,此处我们使用自签名证书

$ openssl genrsa -out tls.key 1024
$ openssl req -x509 -new -nodes -key tls.key -subj "/CN=tomcat.ctg.com" -days 3650 -out tls.crt

生成的tls.key与tls.crt的内容如下

$ cat tls.key
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQC2m/jDgcOjuXOyr4HrOQmbQ3z7Mi5Acd6tY+RShnC6vpg+nCcH
FK2VahUu5f2cfXql4khJh61OOCaOjGb1snr/zhM4fXJt0d5hhSadNwvYH7WRdfLJ
bohYnGebow5gYdU526zJNMpvvEjVMIa7qYxS8bBl290V9b0NT4U5pTAOaQIDAQAB
AoGACenx2XtkCbF5zIumvAR+twU09dZFmI4WDsfLj4do+1p5nXyQydufiOsXd1JZ
MHPHgtYEIqnRCNwXi8mnlVM5Ri6HdjGKIRsk6saL06avPRHphZTGYl4Ih0KzORDI
Wz50mr7q55MafrX0NCVSxTA1662xKhhzOUILFh5bi8qHc+ECQQDedbtw3FxTgQF9
C/atddh+uu66yWYsOIF1yjpB5ys7P+TFz/0eQ6zzqLKCP0wSQUIlooQU5txOVX/R
AQ4SKWrlAkEA0iQgvI3RzDar5/iIIzVQj/TFrX5Z4BteCqnF0nHj7p3hR4iUZc+W
kuJ3ePhA5X7gwxJbsGsYCKgnE582gWFpNQJACSXgQmDdbxWkAQdn6nQpJfT78jRr
/i+Iq1ZYlPMzpOkYuEW4S/FOgGqUhKSjtTB3zuJi+hUQRCxh6C9Z68dGPQJAJVh0
VO4jTdadgHFDyHYOJjdK9kVRNanHcb+wP3EsH9kBE1Rrgxh8WwhSUTZVWjPNP/3A
O78cm1U+9JbD+gRUzQJBAMng0TUGABU3Avq0m4TanK2o1jBS6QV2uV/FXM1q9pOg
3nhSVjs6+TAfup/VjVUwGJfS0wyAWQFrRR3Ub/SL77k=
-----END RSA PRIVATE KEY-----

$ cat tls.crt
-----BEGIN CERTIFICATE-----
MIICADCCAWmgAwIBAgIJAO50kZMgRRbxMA0GCSqGSIb3DQEBCwUAMBkxFzAVBgNV
BAMMDnRvbWNhdC5jdGcuY29tMB4XDTE5MTIyNjA3MzgyN1oXDTI5MTIyMzA3Mzgy
N1owGTEXMBUGA1UEAwwOdG9tY2F0LmN0Zy5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBALab+MOBw6O5c7Kvges5CZtDfPsyLkBx3q1j5FKGcLq+mD6cJwcU
rZVqFS7l/Zx9eqXiSEmHrU44Jo6MZvWyev/OEzh9cm3R3mGFJp03C9gftZF18slu
iFicZ5ujDmBh1TnbrMk0ym+8SNUwhrupjFLxsGXb3RX1vQ1PhTmlMA5pAgMBAAGj
UDBOMB0GA1UdDgQWBBS16IlYfCTS1g3f9qm9sMkXoC0zSjAfBgNVHSMEGDAWgBS1
6IlYfCTS1g3f9qm9sMkXoC0zSjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUA
A4GBAIBUAIXwBrmEFj1TAzHVqUNH2OwTgwGqdz6BnZB57hKVoIxPrLARFxxZZruI
6UomdQe9bHU+wiA1VQdVX9rhsf9T5Y4e7e1ZmpxP4nHMTn5MYT25ax8A3p7+eHcU
5qjT5DGpj4cqV78+dIu6Ly2Uu35ZF4m5jB0sYF+c2Nz/pNII
-----END CERTIFICATE-----

然后,创建一个secret,用来存储tls.key与tls.crt。在存储tls.key与tls.crt文件内容到secret时,要把文件的首尾两行去掉,然后把中间的行拼成一行(即去掉换行符),最后secret的内容如下:

apiVersion: v1
kind: Secret
metadata:
  name: tomcat
type: kubernetes.io/tls
data:
  tls.key: MIICXAIBAAKBgQC2m/jDgcOjuXOyr4HrOQmbQ3z7Mi5Acd6tY+RShnC6vpg+nCcHFK2VahUu5f2cfXql4khJh61OOCaOjGb1snr/zhM4fXJt0d5hhSadNwvYH7WRdfLJbohYnGebow5gYdU526zJNMpvvEjVMIa7qYxS8bBl290V9b0NT4U5pTAOaQIDAQABAoGACenx2XtkCbF5zIumvAR+twU09dZFmI4WDsfLj4do+1p5nXyQydufiOsXd1JZMHPHgtYEIqnRCNwXi8mnlVM5Ri6HdjGKIRsk6saL06avPRHphZTGYl4Ih0KzORDIWz50mr7q55MafrX0NCVSxTA1662xKhhzOUILFh5bi8qHc+ECQQDedbtw3FxTgQF9C/atddh+uu66yWYsOIF1yjpB5ys7P+TFz/0eQ6zzqLKCP0wSQUIlooQU5txOVX/RAQ4SKWrlAkEA0iQgvI3RzDar5/iIIzVQj/TFrX5Z4BteCqnF0nHj7p3hR4iUZc+WkuJ3ePhA5X7gwxJbsGsYCKgnE582gWFpNQJACSXgQmDdbxWkAQdn6nQpJfT78jRr/i+Iq1ZYlPMzpOkYuEW4S/FOgGqUhKSjtTB3zuJi+hUQRCxh6C9Z68dGPQJAJVh0VO4jTdadgHFDyHYOJjdK9kVRNanHcb+wP3EsH9kBE1Rrgxh8WwhSUTZVWjPNP/3AO78cm1U+9JbD+gRUzQJBAMng0TUGABU3Avq0m4TanK2o1jBS6QV2uV/FXM1q9pOg3nhSVjs6+TAfup/VjVUwGJfS0wyAWQFrRR3Ub/SL77k=
  tls.crt: MIICADCCAWmgAwIBAgIJAO50kZMgRRbxMA0GCSqGSIb3DQEBCwUAMBkxFzAVBgNVBAMMDnRvbWNhdC5jdGcuY29tMB4XDTE5MTIyNjA3MzgyN1oXDTI5MTIyMzA3MzgyN1owGTEXMBUGA1UEAwwOdG9tY2F0LmN0Zy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALab+MOBw6O5c7Kvges5CZtDfPsyLkBx3q1j5FKGcLq+mD6cJwcUrZVqFS7l/Zx9eqXiSEmHrU44Jo6MZvWyev/OEzh9cm3R3mGFJp03C9gftZF18sluiFicZ5ujDmBh1TnbrMk0ym+8SNUwhrupjFLxsGXb3RX1vQ1PhTmlMA5pAgMBAAGjUDBOMB0GA1UdDgQWBBS16IlYfCTS1g3f9qm9sMkXoC0zSjAfBgNVHSMEGDAWgBS16IlYfCTS1g3f9qm9sMkXoC0zSjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAIBUAIXwBrmEFj1TAzHVqUNH2OwTgwGqdz6BnZB57hKVoIxPrLARFxxZZruI6UomdQe9bHU+wiA1VQdVX9rhsf9T5Y4e7e1ZmpxP4nHMTn5MYT25ax8A3p7+eHcU5qjT5DGpj4cqV78+dIu6Ly2Uu35ZF4m5jB0sYF+c2Nz/pNII

然后,创建一个Ingress(记得要创建deployment与service)

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: tomcat
spec:
  rules:
  - host: tomcat.ctg.com
    http:
      paths:
      - path: /
        backend:
          serviceName: tomcat
          servicePort: 8080
  tls:
  - secretName: tomcat
    hosts:
    - tomcat.ctg.com

然后,我们在就能访问了https://tomcat.ctg.com了

未定义行为

1. 同一个Ingress中path相同

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: test
spec:
  rules:
  - http:
      paths:
      - path: /foo
        backend:
          serviceName: test
          servicePort: 8080
      - path: /foo
        backend:
          serviceName: test
          servicePort: 8081

以上的Ingress可以创建成功,不会报错,但是当我们访问x.x.x.x:80/foo时,是不确定Nginx-Ingress-Controller会转发到test:8080还是test:8081

2. 两个Ingress的Host相同

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: test
spec:
  rules:
  - host: test.ctg.com
    http:
      paths:
      - path: /foo
        backend:
          serviceName: test
          servicePort: 8080

---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: test1
spec:
  rules:
  - host: test.ctg.com
    http:
      paths:
      - path: /foo
        backend:
          serviceName: test
          servicePort: 8080

非法行为

1. 同一个Ingress中的Host相同

以下Yaml文件创建时会报错,因为host一样

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: test
spec:
  rules:
  - host: test.ctg.com
    http:
      paths:
      - path: /foo
        backend:
          serviceName: test
          servicePort: 8080
  - host: test.ctg.com
    http:
      paths: 
      - path: /bar
        backend:
          serviceName: test
          servicePort: 8081

Last updated

Was this helpful?